How's it going? First of all, I want to say holy shit, I'm speaking at DEF CON and it's an
honor. And second of all, holy shit, people actually showed up. So thank you very much.
That's an honor as well. So I'm going to talk to you today about getting the goods with
SMB Exact. And my name is Eric Milam. Some people might know me as Bravo Hacks.
Thank you very much. That's the end. So, you know, of course, don't you know who I am?
I'm on the attack and pen team for AccuVont Labs with a bunch of great people, my boy
Pure Hate. We do a lot of pen tests together. Involved with some open source projects. Maybe
you guys have heard of EasyCreds, SMB Exact, of course. We took over Ettercap a few years
ago and involved with the Kali Linux distribution. So what is this all about, right? Basically
we're going to go over what is SMB Exact, what does it do, why should you actually care.
There's nothing zero day here. So you can boom, you know, boom, boom, boom, boom, boom, boom,
if you want. But automation is awesome. This is a tool you can use immediately. It's not
some weird exploit that the sun and the moon have to align on a certain day. And it makes
post exploitation much easier, at least it has for me.
So what is SMB Exact? SMB Exact is a bash script because everybody who knows me knows
I don't know how to code for shit. But I'm very good with the Googles and I just put
a bunch of shit together until it works. So it's about 1500 lines and about a million
different functions. Put it together in a week, about an hour ‑‑ about 100 hours
worth of time, about, you know, a year's worth of Mountain Dew. The power of the tool really
lies in SMB client to get and put files and Win EXE to execute those. And we have patched
them for hash passing. So that works as well. So why write SMB Exact, right? I mean, there's
awesome tools out there, right? Has anybody heard of the Metasploits? Awesome tools. Why
would you actually need this? Well, we were on a bunch of pen tests and we started to realize
that our ‑‑ that the PS exec module was getting popped with our payloads. So we
used the custom EXE option but that was also getting popped. So we threw that to the community
and basically Mubix, wherever Mubix is, found out real quick for us that basically what
it was triggering on was the injection and the service protection. So, you know, fuck
you Trend Micro, but thanks for the motivation. We appreciate it.
So after we ran into this a few times, Pure8 actually found a blog post by Carnal
Ownage that was basically upload and execute your payload and that's kind of where the
script was born from. So originally, right, we just wanted to get our shells. We wanted
our shells. So we wrote it so it would create an obfuscated payload that would bypass most
AVs. The newer versions you can actually enable Hyperion, Cryptor.exe and encrypt it as well.
We also had it so it would create a Metasploit RC file for us and launch that. It would
either launch it in X term or screen depending on what you commented out. If it doesn't
recognize X is running, it will automatically launch the attacks in screen. So that's kind
of where it was at. And then we started learning a little bit more about WinEXE and we're like,
you know, hey, we can basically run native Windows commands and there's a lot of cool
stuff that we could probably end up doing. So I'm not a Windows guy. So, again, I went
to Google and Google told me what to do. And we started realizing some of the great
things that we could do with it. Because what we really wanted the tool to do was to basically
kind of go undetected and just look like normal Windows, you know, traffic or normal network
traffic to our victims. So WinEXE, I don't know if anybody is familiar
with it. I hope you guys are. It's awesome. It's similar to the Sysinternals PSExec modules.
I'm sorry, the Sysinternals PSExec tools. And it also has a system flag. It also has
an uninstall flag, which is also awesome. And I'll explain those a little bit later.
There's no, you know, quote, unquote, payload necessary. You can basically run WinEXE and
just issue CMD and it will give you a command shell back from the victim computer without
executing a binary. And it looks like normal Windows traffic to OPSEC. Basically you're
getting what they should end up seeing is a successful launch. So that's kind of what
we're trying to do is log in over the network. There are some caveats which I'll discuss
later that might be red flags. So if you can execute commands a system, right,
the possibilities are virtually limitless. So you can dump hashes from a workstation
or server, create volume shadow copy, run other tools a system, enable, disable UAC,
bypass it. You can also check systems for DAEA accounts logged in or running a process.
Is that some type of sign for me? I'm not fucking with anybody.
You all know the drill. What does every new speaker do?
So I'm Mormon. Not really. I'm a recovering Mormon.
That's a good one. There you are.
Thank you. Congratulations.
Thank you.
As you were.
Let's see him get back into it now.
Oh, you can't hear me? Okay. I know. All right. So is this better?
All right. I apologize.
Okay. So where were we at? So basically we can execute shit a system. Fuck it. We might
as well.
Is that the alcohol?
So we're like, well, holy fuck, let's get some hashes, right? You know, old school
way was to get the registry keys out and do it. So fuck, let's automate that. So we wrote
S and B exec, to dump the hashes from workstations and servers, and what it basically does is
it just runs the Windows command red G X E save, and it saves the registry key. So sys
plus Sam is your local hashes. Everybody probably knows that. Sys plus sec is your
domain cache credentials. And then we run it through cred dump, which converts it into
the hashes in the John format. And, of course, we've got our high quality hash there as
well.
well. So one of the other things that I was on a pen test, somebody brought up to me was
WCE. Yes, I know about Mimikatz. I know it's awesome. The integration that they've done
with Metasploit is incredible. There's no political battle for me over this. It's just
this was a tool I found. It's awesome. I worked with Hernan on it. He let me incorporate it
into SMB exec. And WCE basically with the minus W flag will dump clear text passwords
out of memory. It took me about five lines of code to code that in. That was another reason.
It was super simple. And it runs automagically as part of the hash grab functionality. If you
want to turn that off, you can. You just comment out the code. So SMB exec, we're like, shit,
let's get stuff off the domain controller too while we're at it. So again, I went to my friend
Google and Google told me how to go out and run everything from the command line. So what this
will actually do is it will let me do it. It will let me do it. I'm going to run it. I'm going to
log in over 445, create a volume shadow copy. It will save off the ntds.dit, the sys key. And
when it's done, it will clean up after itself. It deletes the volume shadow copy it created and
it does all this. And I know there was a blog post in 2011 about this. But I don't know if most
people know, there was actually a blog post and forum post back in 2005 about doing this as
well. So it's been around for a while. It's there. Once everything is good, it runs into
ntds extract and liby sedb gets the hashes out for you. It also creates a tab separated cred list
for you for other functionality within SMB exec. So let's go ahead and see a demo. So I recorded
the demo. So fuck it, we'll do it live. .
Does that look all right to you guys? All right. So that's the exact. So the first thing
you're going to do is you're going to just really quickly just do system enumeration, create a
quick host list. And basically what it's just doing, it's just doing a quick end map scan,
looking for systems with 139.445 open and it builds a list for you. Then we're going to go
ahead and go into option three, which is obtain. And then we're going to go ahead and go into
obtain hashes, workstations and servers. Please provide the user name. I'm just going to spit it
out here. This is Martin's password. So feel free, if you see pure hate anywhere, that's how
you log into his accounts. Here it's a local account. Again, thanks to Mubix, local, this
will give it a period or a dot, which is how developers recognize local accounts. So you can
see it's a local host. And then it recognizes that there was a host list created, so it's going
to run against that. So this does take a little bit of time, you'll see. It's basically what it's
doing, it's going out, it's authenticating, it's logging into the box, it's pulling down the
registry keys. And then when that's done, it will basically upload my obfuscated WCE, it'll run
that command, it'll pump it all out. So it does take a little bit. So let me hop over here and
get this ready.
I'm just getting rid of some of the stuff here that I know comes out of it. Can everybody see that? I made that
font super big, so. Okay, cool. I'm a little hard up here, but.
But I tried. Is that a red card? Okay. So there we go, right? So basically, it's pretty much done.
There's our local hashes. Here's our domain cache credentials. And then we're going to run this
stuff. It's a little bit more complicated. If only you had it. I want to give a shout out to Royce Davis on
our team, Reddy, who actually updated Carlos's cache grab and re-did it so it actually worked
stand alone. So that does include Vista as well as non-Vista versions. And then here's what I
love the most. If I could spell right. Boom. Clear text passwords. Right? So, if you look at that,
that's 20 characters, you're not going to crack that shit. There's no way. So. So, that's all. So, like,
awesome that you can just get out of there. So here's one here, top dog, bravo hacks password.
So I'm going to go ahead and use that one. So let's go ahead and get the domain, go after the
domain controller. So again, three, go after the domain controller. I'm going to
authenticate as top dog. This was Martin's old password. And then I know that the domain
controller, of course, is this. But, you know, there's simple dig commands or whatever you can
look up and find it. So it asks you for the path to the ntds.dit. You can put any drive, any
path. Oh. Oh, wait a second. It helps if I give it the correct IP address. So I'm going to
do that. Okay. Found the ntds.dit. Now it says where do you want to save this stuff off to, right?
You can give it a different path if you want. I'm going to leave it the same. See Windows temp.
So it checks to make sure that the path provided actually exists. It checks to make sure that
there's disk space. It creates the volume shadow copy. It copies those files off to your local
machine, the ntds.dit and the sys. It then deletes those files that were created. It removes the
volume shadow copy that it created. And then it runs the ntds.dit and the sys. And then it
takes libESEDB to extract it and ntds.extract to get the hashes out. And you can see it's
running there. Takes a little bit. Dramatic pause here. And then success. Looks like we got what
we came for. So let's make sure that's true. Okay. So now we're going to go ahead and
run it. So there you go. That's all the hashes off the domain controller right there for you.
And it was like you were never there. So I have one other surprise for you.
Might not be much of a surprise, but here's the domain controller. Oops. So you can see it's
running. It's running. Wow. I have to spell something wrong. Oh. It's our desktop, right?
Thank you. Thank you very much. Hey, it's Windows Server 2012. What do you know. So this is
going to work for a while. . All right. So I'm going to go ahead and run this all.
Hold on. Sorry. Okay. So the caveats, right? There's always caveats, right? You're going
to need credentials to start with. You're going to need something with local admin rights.
Could be a domain account. It could be a local account. But administrator and password tends
to work in nine out of the ten domains we pen test. So go ahead and do that. Of course
there's NBNS spoofing. I'm partial to Ettercat, but that's just me. And of course there's
always MSO 8067. So when someone's actually caring or paying attention, WinAXE actually
creates a service that could be stopped or become a red flag. It actually has a binary that
it does install in the ‑‑ I believe it's either the Windows or the system 32 or one of
the paths. So that could be a red flag, could get caught. So it touches disk, basically.
Okay. So I'm going to go ahead and get started. I'm going to go ahead and get started. So
sometimes AV doesn't like WCE, but what I've gone ahead and done and the reason why
it took a little bit longer to run was I've actually obfuscated the resource DLLs that
are within the WCE binary and the WCE binary itself. So it takes an extra couple of seconds,
but I'm pretty sure AV is going to have a hard time with it. And that's just part of
what I release. So authentication over port 139445 is required, right? If you can't do
that, this doesn't work. And then low cards exchange principle. Any contact with something
is going to leave a trace. So if you can't do that, this doesn't work. And then low cards
exchange principle. Any contact with something is going to leave a trace. And then low cards
Like I said, this touches disk, this will not stand up to a forensics investigation. But I
can tell you that most admins are going to look at the server and think everything's just fine.
It does have a lot of logins. That's the main thing is since it's automated, it might log in
three or four times, that might look bad if they're looking for that. So where can I get SMB
exact? It's out on Source Forge or GitHub under Bravo hacks. Metasploit modules are
created. There's actually six modules created by Royce Davis. So we've been working with him
on our team, he's also from pentestgeek.com. Two of them are actually in the framework,
that's PS exec command and NTDS grab. Impact, it looks like they developed something in
Python that was based on Royce's work. SMB exec version 2.0, like I said, I know bash,
I don't know anything else and I don't really know bash that well. So a couple of guys on
our team ported it to Ruby so it's multithreaded, it works better, less hiccups that come along
with a bash script. And that's Brandon McCann and Thomas McCarthy, also from pentestgeek.
So credit where credit is due, of course, WCE, Hernan and Choa, SMB client and WinAXE
hashpassing patches, Joe McCann, Emilio Escobar who is also the lead developer of Ettercat,
Skip Duckwall, of course, Mr. Duckwall, you know, the original vanish script, the Samba
team, of course, WinAXE, Metasploit, HD, Egypt, everybody, thank you so much, we appreciate
it, Fedora and map team, CredDump, NTDS extract, the list goes on and on. So basically,
I couldn't, SMB exec really wouldn't work without that. So I don't know if I have time
for questions, but please give the hackers for charity, go buy a T‑shirt or something,
we love those guys. On Twitter I'm Bravo hacks, on IRC I'm Johnny Bravo. Thank you very much.
